Date: Mon, 24 Sep 2001 01:24:41 +0200 From: "Karl M. Joch" <k.joch@kmjeuro.com> To: "David Kirchner" <davidk@accretivetg.com>, <freebsd-security@freebsd.org> Subject: Re: New worm protection Message-ID: <060301c14487$048f79f0$0a05a8c0@ooe.kmjeuro.com> References: <20010923135836.Q85958-100000@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
I have made a quick and may dirty solution which helps me alot on the servers. it handles multiple error files. my error files are resetted onec every 24h. so i dont get to big files. ############################################ # include trailing / in run & wrk $run = "/usr/local/blockwins/"; $wrk = "/usr/local/blockwins/data/"; # create it in advance $logfiles = "/usr/local/blockwins/logfiles"; # made by ls /var/log/your-apache-error-logs $domfile = "IPs"; $rule = "50"; # the ipfw rule you want to use #*************************************************** end of config # Datum vorfuellen: chop($dat=`date "+%y/%m/%d %H:%M"`); $cnt=0; # ips $cnto=0; # ips old $cnt2=0; # access # create domain/register file if non existent: dbmopen (%domains,"$wrk$domfile",0640); dbmclose (%domains); dbmopen (%domains,"$wrk$domfile",0640); # GET OUR LOGFILES open ("INPUT",$logfiles) || die "$0: cannot open $logfiles !\n"; while (<INPUT>) { chop ($_); open ("LOG",$_) || die "cannot open $_! \n"; while (<LOG>) { ## [Mon Sep 10 10:38:43 2001] [error] [client 193.215.176.192] File does not exist: /usr/local/www/default.ida $virus=0; if (/winnt/) { $virus=1;}; if (/root.exe/) { $virus=1;}; if (/cmd.exe/) { $virus=1;}; if (/default.ida/) { $virus=1;}; if ($virus) { #block them: $results=$_; $results=~ s/.*client ([0-9.]+).*\/(.*)$/$1##$2/; ($ip,$comm) = split(/##/,$results); if ( $domains{$ip}) { $cnt2++; $domains{$ip}=$comm; ## last command } else { $cnt++; $domains{$ip}=$comm; ## last command } } } } print "########################################################################\n" ; print "Angriffe von Code Red/Nimda \n"; print "########################################################################\n" ; print "DIFFERNT IPs: $cnt\n"; print "########################################################################\n" ; print "TOTAL ACCESS: $cnt2\n"; print "########################################################################\n" ; close (INPUT); # NOW LETS CHECK EVERYTHING: # clear the one rule: @args = ("/sbin/ipfw $rule delete"); system(@args) == 0 or print "system @args failed: $?\n"; # add all of our idiots: foreach $dom (sort keys %domains) { $cnto++; # print "$dom - denied access to the server with rule $rule\n"; @args = ("/sbin/ipfw $rule add deny all from $dom to any >/dev/null"); system(@args) == 0 or die "system @args failed: $?"; } print "########################################################################\n" ; print "All Rules (Total IPS: $cnto) added to Firewall\n"; print "Known Windows Systems denied access!\n"; print "########################################################################\n" ; dbmclose (%domains); -- -- Best regards / Mit freundlichen Gruessen, Karl M. Joch KMJ Consulting - CTS Consulting & Trade Service http://www.kmjeuro.com - http://www.ctseuro.com k.joch@kmjeuro.com - k.joch@ctseuro.com GSM : +43-664-3407888 Unsere Services: http://www.proline.at - Netzwerk und Sicherheitstechnik http://www.eushop.net - Onlineshop und Applikationen einfach mieten http://www.freebsd.at - Power Operating System ----- Original Message ----- From: "David Kirchner" <davidk@accretivetg.com> To: <freebsd-security@FreeBSD.ORG> Sent: Sunday, September 23, 2001 11:00 PM Subject: Re: New worm protection > Would it be possible to create an accept-filter module (ala accf_http) > that could take care of these and future similar filters, server-wide? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?060301c14487$048f79f0$0a05a8c0>